Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1-MAILINGLIST] [FW1] (Still having) NAT Problem (and anti -spoofing is ok)

To: [email protected]
Subject: Re: [FW-1-MAILINGLIST] [FW1] (Still having) NAT Problem (and anti -spoofing is ok)
From: "Juppunov, George" <[email protected]>
Date: Fri, 5 Oct 2001 10:10:42 -0700
Comments: To: Mailing list for discussion of Firewall-1 <[email protected]>, [email protected]
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Lorenzo,

I'm getting a little late into this, but looking at your original email, it
seems that the Nat map you created is half-done.
What you describe goes only one way. You probably need to build a second
rule for the reverse packets.

I.e.
Src                     Dst             Svc             XSrc
Xdst            Svc
Internal_IP             Vendor_IP       Any             External_IP (Static
mode)   Original                Original
Vendor_IP               External_IP     Any             Original
Internal_IP     Original

Make sure you have your route and arp entries. Finally, your rule should
look something like that.

Src             Dst             Svc             Action
Vendor_IP       External_IP     ???             Accept

Let me know how it goes.
George

 -----Original Message-----
From:   Satana [mailto:[email protected]]
Sent:   Friday, October 05, 2001 6:16 AM
To:     [email protected]
Subject:        Re: [FW-1-MAILINGLIST] [FW1] (Still having) NAT Problem (and
anti-spoofing is ok)

Hi guys!
Lots of you told me to check my anti-spoof settings.
Well...that's ok (I even published other machines over Internet using the
same way!)
I really don't know what to do
Thanx again for kind interest

Lorenzo


----- Original Message -----
From: "Steven Wu" <[email protected]>
To: "Satana" <[email protected]>
Cc: <[email protected]>
Sent: Thursday, October 04, 2001 10:27 PM
Subject: Re: [FW1] (Still having) NAT Problem


> It might be related to your fw object anti-spoofing configurations too.
Please
> check.
>
> Anyway, I would recommend trying tcpdump or snoop command to sniffer your
fw
> interface with the target web server and see what translation packet look
like and
> how the traffic routes. It might tell you the problems.
>
> Good luck !
>
> Steven
>
>
> Satana wrote:
>
> > Hi everybody and thanx for all your answers....
> > I've checked my FW1 rules & Address Translations and...you got me!
something
> > was messed up.
> > Anyway..... I forgot to say that I obviously did the ARPing (arp -s
EXT_IP
> > MAC_ADDR pub) and I added the route (route add EXT_IP INT_IP 1), but
still
> > it isn't working. I've got an error on FW1 logs regarding rule0 (?). I'm
> > pretty out of any ideas...
> > Thanx again for help and interest
> >
> > Lorenzo
> >
> > ----- Original Message -----
> > From: "Chris Arnold" <[email protected]>
> > To: "'Brockhoven, Werner '" <[email protected]>; "''Satana'
'"
> > <[email protected]>; <[email protected]>
> > Sent: Thursday, September 27, 2001 5:19 PM
> > Subject: RE: [FW1] NAT Problem
> >
> > >
> > > I would stay away from automatic NAT rules personally.  Do it manually
as
> > > there used to be issues with automatic NAT rules and manually gives
you a
> > > finer level of control as well.
> > >
> > > Chris
> > >
> > > -----Original Message-----
> > > From: Brockhoven, Werner
> > > To: 'Satana'; [email protected]
> > > Sent: 9/26/01 2:13 AM
> > > Subject: RE: [FW1] NAT Problem
> > >
> > > Hello Lorenzo,
> > >
> > > So you are trying to configure static destination nat.
> > >
> > > It may be easier to let FW-1 configure the nat rule by configuring the
> > > NAT tab in the workstation object which represents the internal
machine.
> > > Because you are using static destination nat you'll have to configure
a
> > > route on the firewall for the external ip adress and have it point to
> > > the internal ip adress of the www server.  In your firewall object
> > > you'll have to configure antispoofing on the internal interface and
add
> > > the external ip adress of the www server.  Finally you'll want to
> > > publish the external ip adress on your gateway via arp so the external
> > > router knows where to send the packets.
> > >
> > > Regards,
> > >
> > > Werner
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Satana [mailto:[email protected]]
> > > Sent: Tuesday, September 25, 2001 10:51 AM
> > > To: [email protected]
> > > Subject: [FW1] NAT Problem
> > >
> > >
> > > Hi everybody
> > > I've got tihs problem: I have to publish over www an internal machine
> > > (which obviously has an internal IP adress) and I have to make FW1 nat
> > > its ip to the external ip adress (that is already routed on the right
> > > router & CDN).
> > > I've made a rule within the "Adress Translation" which says as
original
> > > packet :
> > > SOURCE : Internal IP
> > > DESTINATION : Any
> > > SERVICE : Any
> > > as translated packet:
> > > SOURCE : External IP
> > > DESTINATION : Original
> > > Service : Original
> > > And it's obviously installed on FW1 cluster.
> > > There's also a rule in security policy:
> > > SOURCE : Any
> > > DESTINATION : External IP
> > > SERVICE : http
> > > ACTION : Accept
> > > What I have to do now ? To me it seems all fine, but it doesn't work.
> > > Where I'm doing it wrong ?
> > > Thanks in advance
> > >
> > > Lorenzo
> > >
> > >
> > >
> > >
> >
============================================================================
> > ====
> > >      To unsubscribe from this mailing list, please see the
instructions at
> > >                http://www.checkpoint.com/services/mailing.html
> > >
> >
============================================================================
> > ====
> > >
> >
> >
============================================================================
====
> >      To unsubscribe from this mailing list, please see the instructions
at
> >                http://www.checkpoint.com/services/mailing.html
> >
============================================================================
====
>


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


_____________________________________________________________________
IMPORTANT NOTICES:
          This message is intended only for the addressee. Please notify the
sender by e-mail if you are not the intended recipient. If you are not the
intended recipient, you may not copy, disclose, or distribute this message
or its contents to any other person and any such actions may be unlawful.

         Banc of America Securities LLC("BAS") does not accept time
sensitive, action-oriented messages or transaction orders, including orders
to purchase or sell securities, via e-mail.

         BAS reserves the right to monitor and review the content of all
messages sent to or from this e-mail address. Messages sent to or from this
e-mail address may be stored on the BAS e-mail system.


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW-1-MAILINGLIST] [FW1] Gui block session
Next by Date: Re: [FW-1] [FW1] FW-1 Mailing List Improvements
Previous by thread: RE: [FW1] FW1 as a bridge
Next by thread: [FW-1] Nortel VPN and SecuRemote
Index(es):
- Date
- Thread